使用SAML单一登录获取OAuth访问令牌或使用Box.com API的代码 [英] Use SAML Single Sign-On to obtain OAuth access token or code for using Box.com API

问题描述

我们在公司的Intranet门户和Box之间启用了基于SAML的单点登录（SSO），以便用户不使用用户名和密码登录Box.com。他们只是单击Intranet门户上的一个按钮，该按钮就会向Box.com发布SAML声明以进行身份​​验证。

We have SAML-based single sign-on (SSO) enabled between our company's Intranet Portal and Box so that the users do not use username and passwords to login to Box.com. They just click on a button on Intranet Portal which posts a SAML assertion to Box.com to authenticate.

我们希望向用户提供搜索Box的功能直接来自Intranet门户和Box.com API的文档看起来非常合适。但是，它需要OAuth访问令牌。

We would like to provide the ability to our users to search their Box documents directly from the Intranet Portal and the Box.com API looks like a perfect fit. However, it requires OAuth access token.

问题是：

1. 是否可以通过SAML断言获取OAuth令牌？

1. Is there any way to obtain the OAuth token from SAML assertion?

Box Embed允许将文件夹视图嵌入到其他站点。有什么办法可以只嵌入搜索结果。换句话说，我正在寻找一种方法来完成此操作< iframe src = https://www.box.com/....?search=keywords>< / iframe> ; 会在iframe中显示搜索结果。

The Box Embed allows embedding of folders view on to other sites. Is there any way to embed just the search results. In other words, I am looking for a way to do this <iframe src="https://www.box.com/....?search=keywords"></iframe> where it would just display the search results in iframe.

推荐答案

1。。我不知道是否有可能从SAML断言中获取OAuth2令牌-我以为不是-但您可以轻松配置Box应用程序以支持公司的SSO。 Box的OAuth2授权的第一步过程是将用户的浏览器重定向到类似于以下内容的URL：

1. I don't know if it is possible to get an OAuth2 token from a SAML assertion -- I'd think that it isn't -- but you can pretty easily configure a Box application to support your company's SSO. The first step of Box's OAuth2 authorization process is to redirect the user's browser to a URL similar to:

https://www.box.com/api/oauth2/authorize?response_type=code&client_id=MY_CLIENT_ID

在此页面上，用户可以使用选择的任何凭据登录Box，并授权您的应用程序触摸其文件。为了利用公司的SSO集成，您可以将用户重定向到：

On this page the user can log into Box with whatever credentials they chose and authorize your application to touch their files. In order to take advantage of your company's SSO integration, you will instead redirect the user to:

https://sso.services.box.net/sp/startSSO.ping
     ?PartnerIdpId=<YOUR_IDP_URN>
     &TargetResource=https%3A%2F%2Fwww.box.com%2Fapi%2Foauth2%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DMY_CLIENT_ID

其中：

• PartnerIdpId 是您公司的IdP的URN。


• TargetResource 是默认OAuth2授权URL的HTTP编码版本

• The PartnerIdpId is the URN of your company's IdP.
• The TargetResource is the HTTP-encoded version of the default OAuth2 authorization URL that was described above.

这将告诉Box将用户退回您的IdP进行授权，而不是提示用户使用Box凭据登录。然后，OAuth2进程将照常进行。

This will tell Box to bounce the user over to your IdP for authorization instead of prompting the user to log in with Box credentials. The OAuth2 process will then carry on as normal.

2。我也不知道这是可能的，但是使用了有效的OAuth2令牌，您可以轻松地点击Box 搜索 API。

2. I don't know that this is possible either, but with a valid OAuth2 token you can easily tap into the Box Search API.

这篇关于使用SAML单一登录获取OAuth访问令牌或使用Box.com API的代码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！